Solved: Re: CSCvv83510 - ISE 3.0 Upgrade failing at step RuleResultsSGTUpgradeService

kms4 · ‎04-21-2021

I'm not 100% sure this is in the right category, but if I need to move it to security specifically, I will. We have an ISE 2.7 patch 3 installation in our lab that we'd like to upgrade to version 3.0. Running the URT tool gives us the following output:

- Data upgrade step 15/32, UpnDictionaryCreation(3.0.0.368)... Done in 0 seconds.
- Data upgrade step 16/32, UpnProfileCreation(3.0.0.368)... Done in 0 seconds.
- Data upgrade step 17/32, SessionServiceAgentlessRegistration(3.0.0.375)... Done in 0 seconds.
- Data upgrade step 18/32, PostureSettingsAgentlessRegistration(3.0.0.382)... Done in 0 seconds.
- Data upgrade step 19/32, SxpConnectionUpgrade(3.0.0.382)... Done in 0 seconds.
- Data upgrade step 20/32, RestIDStoreSettingsRegistration(3.0.0.385)... Done in 0 seconds.
- Data upgrade step 21/32, AnyNadProfIdRegistration(3.0.0.388)... Done in 0 seconds.
- Data upgrade step 22/32, AuthProfileUpgradeService(3.0.0.389)... Done in 0 seconds.
- Data upgrade step 23/32, AccessSecretEncryptionUpgrade(3.0.0.436)... Done in 0 seconds.
- Data upgrade step 24/32, ProvisioningRegistration(3.0.0.441)... Done in 6 seconds.
- Data upgrade step 25/32, UPSUpgradeHandler(3.0.0.442)... Done in 4 seconds.
- Data upgrade step 26/32, RuleResultsSGTUpgradeService(3.0.0.450)... Failed.
- Failed
Final cleanup before exiting...

And inside dpupgrade-data-global-xxx-xxx.log

Instance details com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService@69f84c14
 Error while applying changes in version: 3.0.0.450 class: com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService
com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: Cannot find SGT e36a5120-6b0b-11eb-87fd-a6691416ff13 in DB
	at com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService.upgrade(RuleResultsSGTUpgradeService.java:52)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185)
Caused by: com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: Cannot find SGT e36a5120-6b0b-11eb-87fd-a6691416ff13 in DB
	at com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService.upgradeObligation(RuleResultsSGTUpgradeService.java:93)
	at com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService.upgrade(RuleResultsSGTUpgradeService.java:45)
	... 2 more
Caused by: com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: Cannot find SGT e36a5120-6b0b-11eb-87fd-a6691416ff13 in DB
	at com.cisco.cpm.policy.configuration.upgrade.RuleResultsSGTUpgradeService.upgradeObligation(RuleResultsSGTUpgradeService.java:82)
	... 3 more
ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED

It is failing because of CSCvv83510. It seems this is related to SGTs, which we have modified on this installation by removing some default ones, adding others, and deleting them. I think it is unlikely that we can get this missing UDID back. The bug says that ISE 3.0 patch 1 fixes the issue, but you can't upgrade to a patch. It also says there is no workaround. Does anyone know how to perform this upgrade?

patoberli · ‎06-14-2021

FYI this should be fixed now, if you first upgrade to 2.7 Patch 4 before upgrading to 3.x.

See release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html

View solution in original post

patoberli · ‎06-14-2021

FYI this should be fixed now, if you first upgrade to 2.7 Patch 4 before upgrading to 3.x.

See release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html